FTK IMAGER

Previous page
Table of content
Next page

A relatively new offering in imaging software choices is the FTK Imager, available from AccessData, http://www.accessdata.com. This is a free software package that is available to download for existing users of AccessData 's FTK product. The most notable attribute of the FTK Imager is that it does not have its own proprietary format for images. Instead, the FTK Imager allows you to choose to create an EnCase, SMART, or DD (raw) image of a disk. In addition, FTK Imager is the only product today that can convert between image typesmeaning that you can take an EnCase image and produce a raw or SMART image from it.

Implementation

FTK Imager is a Windows-only tool that does not come with any type of boot disk. Instead, you must have a write blocker, such as Guidance Software's FastBloc or Paraben's Lockdown, in order to properly create an image of a drive without modifying your evidence. Both the SMART and EnCase image formats will add compression and allow images to be broken up into chunks , enabling them to be stored against multiple drives if you do not have space. However, the DD (raw) format will not be compressed and will write out as one large file, so make sure to have enough space on the drive you are writing your data to. Specifically , make sure that the destination drive is larger than the source drive if you plan to do a DD image, which some people choose to do because of its speed.

After attaching the write blocker to your system, you can create an image, in this case a SMART image, with the following steps:

  1. Load FTK Imager.

  2. Click the Create Disk Image icon.

  3. We always recommend imaging the full physical disk, so click Next .

  4. Choose the drive we attached via the write blocker and click Finish.

  5. Next click Add.

  6. Now we select the image type we are creating, which in this case is a SMART image, and click Next.

  7. Enter information about our drive and investigation. The case and evidence numbers are for your purposes; specifically, they are used to keep track of which evidence belongs to which investigation. You can pick any naming convention, but we would recommend that you give each investigation a number and each piece of evidence you acquire a separate number starting at 1 for each investigation.

    In the Unique Description field you can list the owner of the drive. The examiner 's name is your own and the Notes section is normally used to record the serial number of the drive.

    Remember that you cannot change the information stored in this image later, so double-check what you've entered now.

  8. After you've entered this information, click Next.

  9. Now we are going to tell it where to write the image to and what to name it. As you can see in the next screen, we can also change how many megabytes each portion of the image will take before it starts storing the data in a new sequentially numbered file. The default is 650MB for CD-ROMs and the maximum for FTK Imager is 2GB. We'll leave the default and click Finish.

  10. We can add additional images to create if we wanted to, but since we only want one copy at this time, we will click Start.

  11. A progress screen will now appear, giving you information about the speed and estimated time of your imaging.

  12. Finally, you'll see that the image has been successfully created (as shown at right); you are done.


Previous page
Table of content
Next page
Anti-Hacker Tool Kit
Anti-Hacker Tool Kit, Third Edition
ISBN: 0072262877
EAN: 2147483647
Year: 2006
Pages: 175
Authors: Mike Shema, Chris Davis, David Cowen
BUY ON AMAZON
C++ How to Program (5th Edition)
Microsoft WSH and VBScript Programming for the Absolute Beginner
Microsoft Office Visio 2007 Step by Step (Step By Step (Microsoft))
Cultural Imperative: Global Trends in the 21st Century
Quartz Job Scheduling Framework: Building Open Source Enterprise Applications
Comparing, Designing, and Deploying VPNs
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy